Haxcms-php@* Security Vulnerabilities and Issues — Haxcms-php@* CVE List

Lucene search

PsuHaxcms-php*

8 matches found

CVE•added 2025/06/09 9:15 p.m.•50 views

CVE-2025-49141

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the gitImportSite functionality obtains a URL string from a POST request and insufficiently validates user input. The set_remote function later passes this input into proc_open, yielding OS comm...

8.8CVSS9AI score0.00576EPSS

CVE•added 2025/04/08 4:15 p.m.•49 views

CVE-2025-32028

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is no...

9.9CVSS7.1AI score0.00064EPSS

CVE•added 2025/06/09 9:15 p.m.•46 views

CVE-2025-49138

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field...

6.5CVSS6.4AI score0.0006EPSS

Web

CVE•added 2025/06/09 9:15 p.m.•45 views

CVE-2025-49139

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited...

6.5CVSS5.1AI score0.00055EPSS

CVE•added 2025/06/09 9:15 p.m.•43 views

CVE-2025-49137

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in th...

8.5CVSS8.4AI score0.00048EPSS

CVE•added 2025/07/26 4:16 a.m.•10 views

CVE-2025-54378

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS d...

8.3CVSS6.1AI score0.00044EPSS

CVE•added 2025/07/11 6:15 p.m.•9 views

CVE-2025-53642

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.

6.5CVSS6.5AI score0.00036EPSS

CVE•added 2025/07/23 12:15 a.m.•6 views

CVE-2025-54139

HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an if...

6.1CVSS6.8AI score0.00052EPSS